TPCRM
May 25, 2026

The Hidden Risk in Third-Party Cyber Risk Management: When TPCRM Teams Don't Fully Understand the Services They Are Assessing

By Fernanda Lopes - Head of Customer Success

Most TPCRM programs look mature on paper. There is a questionnaire library, a security rating service, a tiering model, an annual reassessment cadence, and a dashboard for the board. The risk register is populated, the audit committee is satisfied, and the metrics move in the right direction.

Then the breach happens through a vendor nobody flagged, in a layer of the service nobody mapped, via a control nobody verified. The Verizon Data Breach Investigations Report tells the story plainly: third-party involvement in breaches doubled in a single year, climbing from 15% in 2024 to 30% in 2025. The 2026 report confirms this alarming trajectory, showing another 60% increase, with third parties now involved in 48% of all breaches.

What rarely appears on a risk register, though, is the capability gap inside the TPCRM team itself. When the people running the program do not deeply understand how the services they assess are actually delivered, the program quietly drifts from risk management into compliance theatre. The dashboards still look healthy. The exposure does not.

Here is what that gap looks like in practice, and why the next five years will reward the organizations that close it.

Context-less reviews create false assurance

Questionnaires, SOC 2 attestations, ISO certificates, penetration test summaries; none of these are meaningful in a vacuum. Their value depends entirely on whether the reviewer can interpret them against the way the service actually runs.

If a TPCRM analyst cannot describe the vendor's data flow, the identity boundary, the subcontractor chain, the regions where the workload lives, or which control plane sits in front of the customer data, the evidence gathered in questionnaire responses gets evaluated in isolation. A clean SOC 2 for the corporate environment tells you almost nothing about the production tenant where your data lives. A pen test scoped to the marketing website is not a pen test of the API your engineers integrate with.

The Salesloft-Drift compromise in 2025 made the point with a heavy bill. Attackers stole OAuth tokens from the Drift integration and pivoted into hundreds of connected Salesforce tenants, hitting more than 700 organizations. Most of those organizations had reviewed Drift and Salesloft. Few had a TPCRM team that could explain, in operational terms, that the real exposure was a token in a SaaS-to-SaaS trust path, not the vendor's office laptops.

The result of context-less review is a stellar evaluation and zero risk visibility. Critical exposure paths stay invisible because nobody asked the question that would have surfaced them.

Vendor criticality is often misclassified

Most tiering models are built around contract value, data classification, or a vendor questionnaire about "criticality." These are useful, and they are also wrong often enough to be dangerous.

True criticality lives in business process dependencies and in the impact on value generation to end users and shareholders. A small procurement intermediary can be more critical than the largest cloud contract. Chain IQ Group, a procurement outsourcer, was hit in June 2025 and leaked more than 130,000 employee records from clients including UBS and Pictet. Banks tier their hyperscalers carefully. The procurement vendor with access to employee directories rarely gets the same scrutiny.

Qantas saw the same pattern on June 30, 2025, when 5.7 to 6 million customer records were exposed through a platform used by an offshore call centre. The call centre was a sub-supplier of a supplier, the kind of relationship that lives several layers below where most tiering models look.

If the people setting tiers cannot describe how value, trust, and access flow through the vendor ecosystem, the program will keep monitoring the obvious vendors and missing the ones that actually matter.

Cyber risk visibility stops at the vendor boundary

Modern service delivery almost never ends at the named provider. The risk surface includes SaaS platforms running on hyperscalers, subcontracted processing layers, embedded APIs, identity federation chains, external support providers, and offshore delivery centres.

Forrester's Q1 2026 Wave on TPRM platforms put it bluntly: relationship mapping is no longer a "nice-to-have" visualization; it is the only way to expose hidden concentration risk and Nth-party dependencies that static inventories miss.

The September 2025 attack on Collins Aerospace illustrates how fast that concentration becomes operational. A ransomware incident against Collins' Muse check-in software cascaded into Heathrow, Brussels, and Berlin airports simultaneously, cancelling departures and stranding passengers. None of those airports had a contractual relationship with the attacker. They had a shared dependency that their own TPCRM programs treated as someone else's vendor.

If a team cannot map the ecosystem behind a contract, continuous monitoring becomes monitoring of the visible layer only. The real attack surface stays dark.

Real-time risk signals are increasingly available, and underused

Threat intelligence feeds, credential leak monitoring, continuous control monitoring, attack surface management, inside-out posture checks; the signals are now plentiful and mostly cheap. According to Gartner, Inc® Predicts 2026: Third-Party Cybersecurity Risk Management Evolves for the AI Era, by 2028, half of all TPCRM programs will focus on continuous monitoring, allowing CISOs to repurpose due diligence resourcing to other high-value third-party risk mitigation activities. By 2028, organizations integrating TPCRM into cyber GRC programs will achieve more than 20% reductions in labor and technology costs, while fragmented programs will face unsustainable operational overhead.

The catch is interpretation. A leaked credential at a payroll vendor only matters if someone in the TPCRM team can place that credential in the context of how the service is delivered and which of your processes depend on it. Otherwise the signal becomes noise, alerts pile up, and the team ends up triaging Slack notifications instead of reducing exposure.

There is a second catch. By 2028, 70% of organizations and vendors will use GenAI to both fill out and analyze TPCRM questionnaires. The same report calls this "security theatre at scale" and warns that GenAI analyzing GenAI-generated responses will drive output degradation, error amplification, and eventually model collapse against actual risk indicators. The questionnaire economy is already eating itself; teams that lean on it as their primary control are leaning on a shrinking signal.

The skills gap that won't show up on a maturity model

This is where the title of this piece lives. Most maturity models score programs on coverage, cadence, automation, and reporting. Almost none of them score whether the people running the program could pass a technical interview on the services they assess.

A capable TPCRM professional in 2026 needs to read a cloud architecture diagram, recognize an IAM trust chain, understand SaaS-to-SaaS OAuth scopes, interpret a vulnerability advisory in the context of a vendor's deployment model, and know enough about subcontractor patterns to ask the second question after the first answer comes back clean. That skill set is closer to a cloud security engineer than to a traditional GRC analyst, and the labour market knows it. The teams that build it will read the same signals everyone else has and see different things.

The regulatory pressure now rewards exactly that depth. DORA enforcement moved from informal tolerance in 2025 to active reviews in 2026, with fines up to 2% of annual global turnover, fixed penalties up to EUR 5 million, and personal fines for senior management up to EUR 1 million. The SEC's Cyber and Emerging Technologies Unit, launched in February 2025, has already settled more than USD 8 million in cybersecurity disclosure penalties, with 2026 examinations explicitly covering vendor oversight. Regulators stopped accepting "the vendor said so" as evidence some time ago.

The organizations that will lead TPCRM over the next five years

They will not be the ones with the longest questionnaires, the most certifications collected, or the highest vendor count in the GRC platform. They will be the ones whose teams can describe, in operational detail, how each critical service is actually delivered, where its dependencies sit, how its identity and data boundaries work, and what would have to break for the business to feel it.

They will treat assessments as a starting point, monitoring as a living input, and skills inside the TPCRM function as a strategic investment rather than a cost line.

TPCRM maturity is not about collecting answers. It is about understanding exposure well enough to act on it before a malicious actor does.

At Tenchi Security, we built Zanshin around this premise. Outside-in scans tell part of the story, and inside-out, continuous non-intrusive scanning of authorized cloud and identity environments tells the rest, so TPCRM teams can see how vendor services actually run and reduce risk with them rather than just measure it. If the situation described above sounds familiar, that is a conversation worth having!

Book a demo

Source: Gartner Report, Predicts 2026: Third-Party Cybersecurity Risk Management Evolves for the AI Era, By Oscar Isaka, Deepti Gopal, etc., February 2026. Gartner is a trademark of Gartner, Inc. and/or its affiliates

Share
Latest Posts
The Verizon 2026 Data Breach Investigations Report: third-party breaches, credential exposures, and more insights
Read more
Digital sovereignty and fragmentation: understanding the impacts on third-party cyber risk management
Read more
What "Inside-Out" Actually Means in Third-Party Security
The term "inside-out" appears across third-party risk platforms but describes very different technical realities. This post explains what authorized API-based infrastructure monitoring means versus questionnaire correlation.
Read more